Analysts eye revamp of U.K. cybercrime law

The U.K. government is proposing changes to an existing law that it says will bolster the ability to prosecute hackers and put them in prison longer -- but analysts question whether the moves will constrict an explosive growth in costly cybercrime.

The U.K. has sought to tighten the Computer Misuse Act of 1990 to more precisely target denial-of-service attacks, which have been used to extort operators of online gambling sites.

Other legal cases in recent years have also brought into question whether the law, composed of three sections, was keeping up with rapid changes in technology.

In November, a judge threw out a case against David Lennon, who allegedly crashed his former employer's e-mail server in a DOS attack in early 2004 using an automated program to send 5 million messages.

Lennon, who was 16 years old at the time of the attack, told authorities after his arrest he wanted to cause "a bit of a mess up" in the company, court documents said.

The judge said the company's Web site invited users to send e-mail. He ruled the section of the CMA under which Lennon was charged was intended to deal with Trojan horses, worms and viruses that corrupt or change data, not e-mail.

Last month an appeals court judge sent Lennon's case back to trial, ruling the volume of e-mail was unwarranted, even if the Web site solicited e-mail. Lennon's case is pending in Wimbledon Magistrates Court.

The amendments to the CMA are currently being considered in the House of Lords as part of the Police and Justice Bill, a comprehensive law enforcement package.

The changes would increase the maximum penalty for unauthorized modification of a computer, under which DOS attacks could be included, from five to 10 years. The maximum penalty for unauthorized access would be raised to two years, up from six months.

An expanded third section is intended to more thoroughly cover denial-of-service attacks, including new language making it an offense to supply hacking tools knowing the programs might be used to break the law.

But observers view the changes to the CMA as unnecessary. Graham Smith, a partner at law firm Bird and Bird in London and author of "Internet Law and Regulation," said the act is broad enough to cover most breaches. Further, Lennon's case has added clarity to prosecution of denial-of-service attacks, Smith said.

"We already have what is probably the most broadly drafted and all-encompassing antihacking legislation in the entire world," Smith said. "I've always been of the view that what is required is a willingness on the part of the prosecution to bring cases."

The Crown Prosecution Service (CPS) can't comment on pending legislation, a spokesman said. But on Tuesday, the CPS issued a statement saying its lawyers are undergoing special cybercrime training in areas such as Trojan horse programs, viruses and Internet Relay Chat (IRC).

CPS also addressed its ability to bring cases, saying it would use legislation "creatively" to disrupt organized crime. The CPS, which has upward of 150 prosecutors trained in dealing with high-tech crime, does not keep specific statistics on how many people have been prosecuted under the CMA.

Cybercrime cases are notoriously difficult to investigate since criminals have found complex, technical ways to avoid detection. Hackers are increasingly commandeering vulnerable computers in other countries, using them to send spam messages containing programs that can record keystrokes.

If those programs are run by a user, credit card data and login credentials could be sent back to the hacker.

A former British hacker, Robert Schifreen, said police generally have no idea what to do if someone called and said they have a virus on their computer.

Schifreen's hacking of an online system from BT Group in the mid-1980s spurred legislative moves for a U.K. computer crime law.

"At the end of the day, the police don't have the manpower or the skills to prosecute the hackers anyway, so having better legislation I don't think is going to do any good," said Schifreen, author of "Defeating the Hacker." "Most computer crime doesn't get prosecuted.

"The problem with all legislation is that times change and technology moves on, and however you frame legislation, it's going to be irrelevant fairly quickly and confusing fairly quickly," Schifreen said.

The U.K. recently folded its national computer crime unit, the National Hi-Tech Crime Unit, into a new agency, the Serious Organized Crime Agency. The consolidation, authorities said, would not affect high-tech investigations, despite concerns resources might be diverted.

A survey commissioned by the Department of Trade and Industry this year found security incidents and breaches cost U.K. businesses up to £10 billion ($17.9 billion) annually, double the amount two years ago.

The penalties for computer abuse may matter less than how the courts manage parole, said Phillip Hallam-Baker, a computer security expert and principal scientist for VeriSign. A continuing ban on those who have been prosecuted from using computers could blunt future malicious activity, he said.

"After being withdrawn from the hacker fraternity for about five years, very, very few hackers can make a return," Hallam-Baker said. "To be anyone in the hacker world, you have to have current skills."

This story, "Analysts eye revamp of U.K. cybercrime law" was originally published by IDG News Service .

Join the discussion
Be the first to comment on this article. Our Commenting Policies